Governments Look to Innovation to Solve the Shortage of Cybersecurity Professionals

The flood of surveys and reports detailing the shortage of qualified IT and cybersecurity professionals is unrelenting. Estimates put the shortfall at anywhere between 1.8 million to 3.5 million in the next five years.

In the United States there are 112,000 unfilled openings for information security analysts alone, plus another 200,000 additional openings seeking cybersecurity-related skills, according to CyberSeek, a platform designed to close the cyber talent gap and supported by the National Initiative for Cybersecurity Education, a program of the National Institute of Standards and Technology.

The cybersecurity workforce shortage is even worse than the job numbers suggest, according to a report from Cybersecurity Ventures, because every IT position is also a cybersecurity position now. “Every IT worker, every technology worker, needs to be involved with protecting and defending apps, data, devices, infrastructure, and people,” the report says.

Government officials, both Federal and state, are looking for innovative ways to create a pipeline of skilled professionals to fill those jobs, especially given that the public sector generally can’t match salaries for IT professionals with those in the private industry, according to a recent report by the Pew Charitable Trusts.

Stanton Gatewood, Georgia’s CISO, said that the shortage stems not only from competition with the private sector and an aging workforce, but from stringent educational and experience requirements that make it hard to recruit.

“We’re writing requirements that are just through the roof,” he said. Instead, government needs to rethink those requirements and seek out nontraditional job candidates who have different types of backgrounds, such as gamers, code writers, law enforcement personnel, and military officials.

Indeed, some state governments are looking to military veterans to fill cybersecurity jobs, according to a recent report from The Pew Charitable Trusts. In Virginia, for example, where about 700,000 veterans reside, the government has launched a pilot program with Syracuse University to help veterans enter the cybersecurity workforce by providing free, hands-on training, assistance in getting industry certification, and career services.

“These are people who already have demonstrated interest in public service,” said Deborah Blyth, CISO for the state of Colorado, which is running a similar recruitment program for military vets who have shown an interest or aptitude in cybersecurity or have some cyber experience.

At the Health and Human Services Department (HHS) and other Federal agencies, officials are looking to stimulate a “youth movement” to create a pipeline of IT and cybersecurity professionals, said Beth Killoran, CIO at HHS and co-chair of the Federal Chief Information Council Workforce Committee.

They are seeking “dedicated civil servants from a younger generation, which is very “now centric” and accustomed to immediacy in technology,” she said in a recent CIO Council blog post. However, she cautioned, “recruiting this generation with mission and vision, while asking them to endure an extensively long hiring and onboarding process, will be difficult.”

Another innovative way to fill the jobs gap is simply to reduce the reliance on IT professionals in government by automating some functions and moving to the cloud or shared services, according to acting Federal CIO Grant Schneider.

“We’re never, certainly in government and also in industry, going to be able to get the workforce we need to defend all of these different systems,” Schneider said. “Quite frankly, we just end up stealing each other’s employees.”

Chris Townsend, Federal vice president at Symantec, said that rethinking Federal security architecture is the best path forward for effective and efficient automation.

“The cyber industry is pretty fragmented right now, and a lot of agencies are taking a best-of-breed approach to building their security architecture,” Townsend told MeriTalk. “But, best of breed approaches–and their lack of standardization, integration, and automation–become very human-heavy when trying to address today’s sophisticated threats. This is not sustainable, particularly when considering the significant cyber workforce challenge. The current push for IT modernization presents a golden opportunity for agencies to build a reference architecture model that maps out where they want to take security and determine how they will build toward that over time. They don’t need to use a ‘one-stop-shop,’ but their solutions should be standardized to work together–which will drive much easier and greater automation.”

Steve Kovac, vice president of global governments and compliance at ZScaler, an internet security firm, further agreed that automation can help.

“It absolutely does help–some,” he told MeriTalk. “I fall back to the original charter of FedRAMP that said, ‘build it once, use it many times.’ It takes the burden off. To be able click a button and say, ‘give me firewall, give me email scanning,’ is great. I don’t need somebody managing that anymore. That’s good, but it still doesn’t solve the bigger problem” because government is simply shifting the problem to the contractor.

The IT staffing shortage is still “the biggest problem we face,” he said.